FCDO Services

Microsoft Office 365

FCO Services' managed Microsoft Office 365 is specifically for government departments working at the OFFICIAL classification requiring a collaboration solution.
As a UK government department and Tier 1 Microsoft Cloud Solution Provider, FCO Services is uniquely positioned to support UK government departments in their cloud adoption and drive to cloud.

Features

• UK government OFFICIAL configuration tailored to UK government needs
• Flexible deployment scenarios including cloud, hybrid authentication and on premise
• Integration options such as Identity and Single Sign-On (SSO)
• Migration, platform administration and 1st/2nd/3rd line support options
• Advanced Email Antivirus and malware protection with 1GB mailbox storage
• Extensive Licensing plans as as Microsoft CSP
• IT Operations Management and Support up to 24x7x365

Benefits

• In government partner
• 100% UK Security cleared staff
• Complies with National Cyber Security Centre guidance e.g. DMARC
• Microsoft Cloud Solution Provider; enabling access to competitive licensing costs
• Can advise on ideal licensing options based on security requirements
• Experienced at deploying and supporting Office 365 for central government

£5.68 a user a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at FCOServices-SPGTenders@fco.gov.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

391119812594012

Contact

Elizabeth Arneill
01908 515789
FCOServices-SPGTenders@fco.gov.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Windows 10
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Customers store and process UK OFFICIAL government data Agreement to FCO Services standard ‘secure’ configuration in line with UK government recommended guidelines ; Agreement to FCO Services standard service policies related to restrictions on connectivity and web browsing ; As a Software-As-A-Service Solutions Microsoft 365) has it's own specified availability targets as part of its service offering which consumers of the service accept.
• System requirements:
  • Computer and processor Windows: 1.6 GHz or faster, 2-core.
  • 2.0 GHz or greater recommended for Skype for Business
  • MacOS: Intel processor
  • Memory Windows: 4GB RAM; 2 GB RAM (32-bit)
  • MacOS: 4 GB RAM
  • Hard disk Windows: 4.0 GB of available disk space
  • MacOS: 10 GB of available disk space.
  • Display Windows: 1280 x 768 screen resolution
  • MacOS: 1280 x 800 screen resolution

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Based on the priority of the ticket, FCO Services can respond within 30 minutes on a 24x7x365 basis.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: FCO Services operational support capability is supported by its use of a recognised, industry leading, ITSM platform and is aligned to industry recognised frameworks and standards that include ITIL, ISO 9001, ISO 20000, ISO 27001 and ISO 22301. Core operational support practices include Incident, Request,; Configuration, Change, & Service Performance Management which can be delivered on a 24x7x365 basis with the single point of contact for customers being the FCO Service Global Support Centre (GSC).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: FFCO services carries out a standard set of activities to on-board customers as part of its Transition-Into-Service. In order to facilitate this the following information is required from the customer - identified through initial engagement. User details (Minimum information required is First Name, Surname, Telephone, Email Address, Organisation/Company) Agreement; on any accepted variances to standard service offerings and configuration settings Customer confirmation of Greenfield/Migration implementation/Transition to FCO Services Microsoft relationship management details External domains used and technical points of contact Clients & Web browsers used to connect to Microsoft applications Microsoft Exchange - Version of Exchange (On Premise), Exchange prerequisites, Client(s) used to connect to exchange Microsoft Dynamics - Version of Dynamics (On Premises), Environments to be managed and supported (e.g. Test/Dev, Pre-Production, Production), Microsoft Dynamics pre-requisites As part of On-Boarding, and full acceptance-intoservice, FCO Services will allocate a Service Delivery Manager (SDM) to the customer who will act as the operational point of contact for the duration of service provision.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: In the event of customer confirmation for off-boarding the SDM will liaise with the customer to understand the customer needs and initiate service decommissioning steps that would include, but not limited to:-; ; • Timescales ; • Device decommissioning procedures; • Data backup/transfer
• End-of-contract process: The service is designed so that customers have the ability to extract their data from the service at any time. Upon termination or expiration of the customer’s subscription, the customer may contact FCO Services and request that: ; a) Their accounts be disabled and all data deleted (in accordance with assured processes); or ; b) The customer data is retained in a limited function for a maximum of 28 days after expiration or termination of the service so that further data may be extracted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile optimised.
• Service interface: Yes
• Description of service interface: Office 365 provides web interfaces for all Office 365 SaaS applications including but not limited to: • Outlook, OneNote, OneDrive, Excel, Word, PowerPoint, SharePoint, Teams, Yammer, Calendar, Flow that can be used; separately or in conjunction with desktop software. Also provided are web interfaces for Office 365 tenant management that administrators can use to manage every aspect of Office 365 these web interfaces can be tailored by FCO Services to suit individual needs including role based access models dependent on customer requirements. All configuration is undertaken through the management consoles using a combination of GUI, PowerShell and Azure runbook scripting.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: Because Microsoft is a major software and cloud-services provider to states and governments around the world, it is committed to complying with all relevant international standards and compliance controls. By adhering to these wide ranging accessibility standards, Microsoft ensures that all customers - both inside and outside of government can use Microsoft services and products.
• API: No
• Customisation available: Yes
• Description of customisation: FCO Services secure configuration of the Microsoft Office 365 has been configured to reflect best practice guidelines as defined by the NCSC. ; During initial engagement any customer requirements where configuration changes are identified will require discussion and agreement.

Scaling

• Independence of resources: FCO Services can provide the expertise required to ensure your Office 365 solution can scale quickly and react to additional workloads meaning that when your current resources are at full capacity, additional resources can be added dynamically.; ; This can be achieved by capacity analysis providing you with threshold limits, current and future utilisation to ensure an elastic cloud solution service.; ; For cloud and hybrid deployment models each customer is; provisioned with its own environment isolated from other; customers with its own resources and capacity.

Analytics

• Service usage metrics: Yes
• Metrics types: Standard Microsoft Office 365 Reporting Dashboard; Office activation's; User Activity - Email, Teams, Skype; for Business; Files - SharePoint, OneDrive
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Microsoft

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Small exports (up to 4GB) can be through approved encrypted USB sticks and large volumes (4GB and above) via encrypted approved USB hard drive via request.
• Data export formats: Other
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Availability management for the MSO365 environments is determined by Microsoft availability targets for the service offering procured by FCO from Microsoft – this is 99.9% for MS Office 365 Cloud services.; Note: Worldwide uptimes are published by MS on https://products.office.com/en-us/business/office-365-trust-center-operations with FCO Services able to provide reports on the FCO MS service offering through the standard MSO365 dashboard reporting.
• Approach to resilience: Resiliency is the ability of a cloud-based service to withstand certain types of failures whilst remaining fully-functional from the customers' perspective. Data resiliency means that no matter what failures occur within Office 365, critical customer data remains unaffected. Office 365 services have been designed around five specific resiliency principles:; 1. Non-critical data (e.g., whether or not a message was read) can be dropped in rare failure scenarios. Critical data (e.g., customer data such as email messages) should be protected at extreme cost. As a design goal, delivered mail messages are always critical, and things like whether or not a message has been read is noncritical. ; 2. Copies of customer data must be separated into different fault zones to provide failure isolation. ; 3. Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability. ; 4. Customer data must be protected from corruption. ; 5. Most data loss results from customer actions, so allow customers to recover on their own using a GUI that enables them to restore accidentally deleted items. ; Building to these principles, coupled with robust testing, Office 365 is able to exceed the requirements of customers while ensuring a platform for continuous innovation and improvement.
• Outage reporting: All MS O365 outages are reported here: https://status.office365.com/; ; FCO Services have also integrated our onpremise SCOM (System Center Operations Manager) system to monitor alerts directly to our tenants via the Service Health admin portal.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are restricted to key support personnel, audited and monitored, accessed through dedicated hardware device and dedicated Bastion infrastructure.; Secure devices follow National Cyber Security Centre (NCSC) guidance; Bastion infrastructure requires 2 factor authentication to access management interfaces.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Less than 1 month
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 14th January 2019. Expires 13th January 2022
• What the ISO/IEC 27001 doesn’t cover: This is in scope:; FCO Services Global Digital Technology including infrastructure, development, operations and support for Secure Managed and hosted IT Services holding information up to "OFFICIAL" tier of the UK Government's classification scheme in accordance with statement of Applicability dated 27 July 2018.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials Plus
  • ISO 20000
  • ISO 9001
  • ISO 9001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: FCO Services products and operational support and; management are designed with security in mind with; consideration and alignment with the National Cyber Security; Centre (NCSC) 'Cloud Security Principles' - in addition to; alignment with the ITIL framework and compliance with the; following ISO Standards:- * 27001 (Information Security; Management) * Cyber Essentials Plus * 20000 (Service; Management System) * 9001 (Quality Management) * 22301; (Business Continuity Management) FCO Services ISO; accreditation is independently verified, annually, by an external; assessor, and also manages the UK National Authority for; Counter Eavesdropping (UK NACE) - who have more than 65; years of experience in detecting and protecting against; technical espionage and attacks

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The FCO Services Configuration Management System (CMS) is used to manage and control the components comprising products and services being supported – recorded within the FCO Services ITSM Configuration Management database (CMDB). Utilisation of a standardised data model of technical and non-technical components, the Configuration Items (CI’S); are managed in a consistent controlled manner aiding the evaluation ofimpacts and risks during the Change Management process. From a customer perspective, the standard offering within the FCO Services CMS will hold detail on the services operationally managed and supported with the associated CI’s.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: FCO Services vulnerability management approach is aligned to meet the Information Assurance requirements expected by all HMG organisations as well as international standards for information Security management (e.g. Cabinet Office Security Policy Framework, ISO/IEC 27001:203).; This ensures that both internal and client systems managed by FCO Services are subject to standard procedures for the identification of vulnerabilities as well as the safe and timely installation of patches with maximum permitted timescales. Patches are prioritised dependent upon categorisation of systems under FCO Services management responsibility with vulnerabilities systematically assessed and remediated on timescales ranging from immediate to 4 weeks.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: FCO Services protective monitoring encompasses security, availability and resilience with options available for customer specific requirements and solutions that can be delivered on a 24x7x365 basis - with incidents classified as Major incidents KPI metrics based on responses within 30 minutes. Any agreed targets are supported using FCO Services ISO 2000 accredited processes which take an integrated approach to Event, Incident, Problem and Change Management - with FCO Services Major; Incident and Service Performance Management practices delivering further detail to customers in the event of issues encountered over an agreed reporting period.
• Incident management type: Supplier-defined controls
• Incident management approach: FCO Services’ Global Support Centre acts as the single point of contact for all interactions, incidents and service requests from the customer, with the service capable of delivering operational support and management on a 24x7x365 basis. The primary objective for incident management is the use of structured incident management activities to identify and resolve; service quality issues within service level targets agreed during initial customer engagement. The GSC can support multiple contact methods which include direct interaction with the customer end-user or desk-desk interaction which triages calls before allocation to FCO Services.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Public Services Network (PSN)

Pricing

• Price: £5.68 a user a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at FCOServices-SPGTenders@fco.gov.uk. Tell them what format you need. It will help if you say what assistive technology you use.